On Fri, May 18, 2012 at 10:34:45AM -0400, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 05/17/2012 07:32 PM, Chuck Anderson wrote:
I'm using EL 6.2 with sendmail & procmail. I'm having trouble with calling custom scripts in my home directory from .procmailrc such as this recipe:
###################################################### # # BACKUP INCOMING MAIL # # Stores the last 16 messages in a backup folder. # "Just in Case" # # Create a folder in your $MAILDIR called "backup" # BEFORE you execute this procmail recipe. # :0 c backup
:0 ic | /home/cra/bin/procmail-prune-backup-msg
The script is labeled with home_bin_t:
-rwxr-xr-x. cra cra system_u:object_r:home_bin_t:s0 /home/cra/bin/procmail-prune-backup-msg
which is a Bourne Shell script similar to this:
#!/bin/sh cd /home/cra/mail/backup /bin/ls -t | /bin/grep ^msg. | /bin/sed -e 1,256d | /usr/bin/xargs -n 256 /bin/rm -f
In my procmail log I get:
/bin/sh: /home/cra/bin/procmail-prune-backup-msg: Permission denied
It works if I "setenforce 0".
With Enforcing, here is the AVC I get (after enabling dontaudit rules with semodule -DB):
# ausearch -i -m AVC type=SYSCALL msg=audit(05/17/2012 19:17:15.773:273) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=1c8d460 a1=0 a2=1c8d487 a3=28 items=0 ppid=5252 pid=5257 auid=root uid=cra gid=cra euid=cra suid=cra fsuid=cra egid=cra sgid=cra fsgid=cra tty=(none) ses=1 comm=sh exe=/bin/bash subj=unconfined_u:system_r:procmail_t:s0 key=(null) type=AVC msg=audit(05/17/2012 19:17:15.773:273) : avc: denied { search } for pid=5257 comm=sh name=bin dev=dm-10 ino=2760827 scontext=unconfined_u:system_r:procmail_t:s0 tcontext=user_u:object_r:home_bin_t:s0 tclass=dir
I did a bunch of research on this and found this old changelog entry and the discussions/bugzillas leading up to it:
#rpm -q selinux-policy selinux-policy-3.7.19-126.el6_2.10.noarch
#rpm -q --changelog selinux-policy ... * Tue May 25 2010 Dan Walsh dwalsh@redhat.com 3.7.19-22 - Allow procmail to execute scripts in the users home dir that are labeled home_bin_t - Fix /var/run/abrtd.lock label
Was there a recent regression that broke this functionality or did it not really make it into Enterprise Linux despite this changelog? Any ideas on how to fix this cleanly without having to disable Enforcing mode?
Thanks. -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Hey chuck, could you check to see if this is fixed by installing the 6.3 policy. Preview currently available at:
people.redhat.com/dwalsh/SELinux/RHEL6
No go:
rpm -qa selinux-policy*
selinux-policy-targeted-3.7.19-153.el6.noarch selinux-policy-3.7.19-153.el6.noarch
grep AVC /var/log/audit/audit.log | grep procmail | audit2allow -R
require { type sendmail_t; type spamc_t; type home_bin_t; type procmail_t; class process { siginh noatsecure rlimitinh }; class dir search; }
#============= procmail_t ============== allow procmail_t home_bin_t:dir search; allow procmail_t spamc_t:process { siginh rlimitinh noatsecure };
#============= sendmail_t ============== allow sendmail_t procmail_t:process { siginh rlimitinh noatsecure };
I've attached the AVC and SYSCALL messages from audit.log from when I upgraded to 3.7.19-153. I believe the "semodule -DB" I did yesterday should still be in effect, so this includes things that are normally dontaudited.